Iran’s Ariomex Crypto Exchange Hit by Major Data Breach, Exposing Thousands of User Records
Iran’s Ariomex cryptocurrency exchange has suffered a significant data breach, leaking 11,826 records, with roughly 7,710 tied to Iranian users. The exposed data reported by cybersecurity firm Resecurity and detailed by Security Affairs includes user identities, email addresses, IP addresses, and cryptocurrency transaction details, some involving millions of U.S. dollars. Many records lacked KYC verification or contained altered information, raising concerns about illicit financial activity.
The breach occurred on February 24, 2025, when threat actor FulcrumSec exploited the React2Shell vulnerability in an unpatched React frontend application, gaining access to Ariomex’s AWS infrastructure. The stolen data has since circulated on the dark web, potentially aiding in the identification of cryptocurrency holders linked to Iran’s financial ecosystem.
The incident highlights vulnerabilities in customer support systems and the risks of unpatched software in cryptocurrency platforms. The exposed records span transactions from 2022 to 2025, revealing the global reach of Iranian crypto users and the potential for regulatory or law enforcement scrutiny.
Ariomex cybersecurity rating report: https://www.rankiteo.com/company/ariomex
"id": "ARI1772649610",
"linkid": "ariomex",
"type": "Breach",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '7,710 Iranian users (out of '
'11,826 total records)',
'industry': 'Finance (Cryptocurrency)',
'location': 'Iran',
'name': 'Ariomex',
'type': 'Cryptocurrency Exchange'}],
'attack_vector': 'Exploitation of React2Shell vulnerability in unpatched '
'React frontend application',
'data_breach': {'data_exfiltration': 'Yes (data circulated on the dark web)',
'number_of_records_exposed': '11,826',
'personally_identifiable_information': 'Yes (user identities, '
'email addresses, IP '
'addresses)',
'sensitivity_of_data': 'High (includes personally '
'identifiable information and '
'financial transaction details)',
'type_of_data_compromised': ['User identities',
'Email addresses',
'IP addresses',
'Cryptocurrency transaction '
'details']},
'date_detected': '2025-02-24',
'description': 'Iran’s Ariomex cryptocurrency exchange has suffered a '
'significant data breach, leaking 11,826 records, with roughly '
'7,710 tied to Iranian users. The exposed data includes user '
'identities, email addresses, IP addresses, and cryptocurrency '
'transaction details, some involving millions of U.S. dollars. '
'Many records lacked KYC verification or contained altered '
'information, raising concerns about illicit financial '
'activity.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'exposure of illicit financial activity '
'concerns',
'data_compromised': '11,826 records exposed',
'identity_theft_risk': 'High (exposed user identities, email '
'addresses, IP addresses)',
'legal_liabilities': 'Potential regulatory or law enforcement '
'scrutiny',
'payment_information_risk': 'High (exposed cryptocurrency '
'transaction details)',
'systems_affected': 'AWS infrastructure, customer support systems'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes',
'entry_point': 'React2Shell vulnerability in '
'unpatched React frontend '
'application'},
'lessons_learned': 'Vulnerabilities in customer support systems and risks of '
'unpatched software in cryptocurrency platforms',
'post_incident_analysis': {'root_causes': 'Unpatched React frontend '
'application with React2Shell '
'vulnerability'},
'references': [{'source': 'Resecurity'}, {'source': 'Security Affairs'}],
'response': {'third_party_assistance': 'Resecurity (cybersecurity firm)'},
'threat_actor': 'FulcrumSec',
'title': 'Iran’s Ariomex Crypto Exchange Hit by Major Data Breach',
'type': 'Data Breach',
'vulnerability_exploited': 'React2Shell vulnerability'}